Driver Install Fails Because Cross Signing Chain doesn't contain microsoft

Question

Do you know why "Microsoft Code Verification Root" would be missing from a signing certificate chain?

We recently moved a build system between two domains and had to re-install certs. We found that we had a signing problem where Microsoft wasn't in the chain causing kernel driver rejection during install.

We noticed that we had 2 additional certs in certmgr : Trusted Publisher : Certificates

• Class 3 Public Primary Certification..
• Verisign Class 3 Code Signing...

After disabling Class 3 Public Primary Certification the "problem" went away and we have the proper signing chain with Microsoft on top.

I'm not sure how Class 3 Public Primary Certification was installed or what we using it and am testing to see what impacts we might face.

Has anyone run into this kind of problem and how did they approach it? Is there a way to disable the use of the class-3 on the command line so I can leave the certmgr setting alone thereby reducing risk ?

Thanks for the help

Peter

Sign Command

signtool.exe sign /v /ac MSCV-VSClass3.cer /s TrustedPublisher /n "My Corp" /t http://timestamp.verisign.com/scripts/timstamp.dll mydriver.sys

Sign Verification signtool verify /kp /v mydriver.sys

*** Signing Certificate Chain:
*** Issued to: Class 3 Public Primary Certification Authority
*** Issued by: Class 3 Public Primary Certification Authority
*** Expires:   8/2/2028 7:59:59 PM
*** SHA1 hash: xxxxxxxxxxxxxxxxxx

    Issued to: VeriSign Class 3 Code Signing 2009-2 CA
    Issued by: Class 3 Public Primary Certification Authority
    Expires:   5/20/2019 7:59:59 PM
    SHA1 hash: xxxxxxxxxxxxxxxxxx

        Issued to: My Corp
        Issued by: VeriSign Class 3 Code Signing 2009-2 CA
        Expires:   9/10/2013 8:59:59 PM
        SHA1 hash: xxxxxxxxxxxxxxxxxx

Answer 1

In theory, I can install the cross-sign cert from verisign that matches my cert into a cert store and signtool will automatically use it. However, this can lead to the wrong cert being used to cross sign.

Being explicit is better

• Install my cert in the trustedpublisher store for the user that signs via certmgr.msc
• Obtain the right cert for your cert (https://knowledge.verisign.com/support/code-signing-support/index?page=content&actp=CROSSLINK&id=SO5820)
• Be explicit when signing

SignTool.exe sign /v /s trustedpublisher /ac path-to-retrieved-cert\MSCV-VSClass3.cer /n myCertName /t http://timestamp.verisign.com/scripts/timestamp.dll driver-file-to-sign

• Verify

SignTool.exe verify /kp /v drive-file-to-check

or if you have a catalog file

SignTool.exe verify /kp /v /c driver-cat-file.cat drive-sys-file.sys